Update CodeQL rule ID for stack-trace-exposure (#440)

Updated rule ID since CodeQL changed. We may one day want to support multiple rule IDs.
pixee · Aug 16, 2024 · 9170c87 · 9170c87
1 parent f067232
commit 9170c87
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 17 deletions.
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/StackTraceExposureCodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/StackTraceExposureCodemod.java
@@ -13,17 +13,20 @@
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
 import javax.inject.Inject;
 
-/** Fixes issues reported under the id "java/stack-trace-exposure" */
+/**
+ * Fixes issues reported under the id "java/java-error-message-exposure" (used to be
+ * java-stack-trace-exposure).
+ */
 @Codemod(
-    id = "codeql:java/stack-trace-exposure",
+    id = "codeql:java/error-message-exposure",
     reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW,
     importance = Importance.MEDIUM,
     executionPriority = CodemodExecutionPriority.HIGH)
 public final class StackTraceExposureCodemod extends CodeQLSarifJavaParserChanger<Expression> {
 
   @Inject
   public StackTraceExposureCodemod(
-      @ProvidedCodeQLScan(ruleId = "java/stack-trace-exposure") final RuleSarif sarif) {
+      @ProvidedCodeQLScan(ruleId = "java/error-message-exposure") final RuleSarif sarif) {
     super(sarif, Expression.class, SourceCodeRegionExtractor.FROM_SARIF_FIRST_LOCATION);
   }
 
@@ -57,8 +60,8 @@ public ChangesResult onResultFound(
   @Override
   public DetectorRule detectorRule() {
     return new DetectorRule(
-        "stack-trace-exposure",
+        "error-message-exposure",
         "Prevent information leak of stack trace details to HTTP responses",
-        "https://codeql.github.com/codeql-query-help/java/java-stack-trace-exposure/");
+        "https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/");
   }
 }
diff --git a/...-codemods/src/main/resources/io/codemodder/codemods/StackTraceExposureCodemod/report.json b/...-codemods/src/main/resources/io/codemodder/codemods/StackTraceExposureCodemod/report.json
@@ -3,7 +3,7 @@
   "change": "Removed the argument which would end up exposed in the HTTP response and leak implementation details of our application to the user",
   "reviewGuidanceJustification" : "This codemod prevents internal coding details from reaching the HTTP response body, and we believe that fixing it presents zero risk.",
   "references" : [
-    "https://codeql.github.com/codeql-query-help/java/java-stack-trace-exposure/",
+    "https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/",
     "https://cwe.mitre.org/data/definitions/209.html",
     "https://cwe.mitre.org/data/definitions/497.html"
   ]

diff --git a/core-codemods/src/test/resources/stack-trace-exposure/out.sarif b/core-codemods/src/test/resources/stack-trace-exposure/out.sarif
@@ -8,8 +8,8 @@
         "organization" : "GitHub",
         "semanticVersion" : "2.11.6",
         "rules" : [ {
-          "id" : "java/stack-trace-exposure",
-          "name" : "java/stack-trace-exposure",
+          "id" : "java/error-message-exposure",
+          "name" : "java/error-message-exposure",
           "shortDescription" : {
             "text" : "Information exposure through a stack trace"
           },
@@ -23,7 +23,7 @@
           "properties" : {
             "tags" : [ "security", "external/cwe/cwe-209", "external/cwe/cwe-497" ],
             "description" : "Information from a stack trace propagates to an external user.\n              Stack traces can unintentionally reveal implementation details\n              that are useful to an attacker for developing a subsequent exploit.",
-            "id" : "java/stack-trace-exposure",
+            "id" : "java/error-message-exposure",
             "kind" : "problem",
             "name" : "Information exposure through a stack trace",
             "precision" : "high",
@@ -70,10 +70,10 @@
       }
     } ],
     "results" : [ {
-      "ruleId" : "java/stack-trace-exposure",
+      "ruleId" : "java/error-message-exposure",
       "ruleIndex" : 0,
       "rule" : {
-        "id" : "java/stack-trace-exposure",
+        "id" : "java/error-message-exposure",
         "index" : 0
       },
       "message" : {
@@ -116,10 +116,10 @@
         }
       } ]
     }, {
-      "ruleId" : "java/stack-trace-exposure",
+      "ruleId" : "java/error-message-exposure",
       "ruleIndex" : 0,
       "rule" : {
-        "id" : "java/stack-trace-exposure",
+        "id" : "java/error-message-exposure",
         "index" : 0
       },
       "message" : {
@@ -162,10 +162,10 @@
         }
       } ]
     }, {
-      "ruleId" : "java/stack-trace-exposure",
+      "ruleId" : "java/error-message-exposure",
       "ruleIndex" : 0,
       "rule" : {
-        "id" : "java/stack-trace-exposure",
+        "id" : "java/error-message-exposure",
         "index" : 0
       },
       "message" : {

diff --git a/core-codemods/src/test/resources/webgoat_v8.2.2_codeql.sarif b/core-codemods/src/test/resources/webgoat_v8.2.2_codeql.sarif
@@ -4090,8 +4090,8 @@
                   "markdown": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n",
                   "text": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"
                 },
-                "id": "java/stack-trace-exposure",
-                "name": "java/stack-trace-exposure",
+                "id": "java/error-message-exposure",
+                "name": "java/error-message-exposure",
                 "properties": {
                   "security-severity": "5.400000",
                   "tags": [